[Buildroot] [PATCH] package/python-django: security bump to version 2.1.9
Peter Korsgaard
peter at korsgaard.com
Thu Jun 6 12:20:54 UTC 2019
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issues:
> CVE-2019-12308: AdminURLFieldWidget XSS¶
> The clickable "Current URL" link generated by AdminURLFieldWidget displayed
> the provided value without validating it as a safe URL. Thus, an
> unvalidated value stored in the database, or a value provided as a URL query
> parameter payload, could result in an clickable JavaScript link.
> AdminURLFieldWidget now validates the provided value using URLValidator
> before displaying the clickable link. You may customize the validator by
> passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g.
> when using formfield_overrides.
> Patched bundled jQuery for CVE-2019-11358: Prototype pollution¶
> jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...) because of
> Object.prototype pollution. If an unsanitized source object contained an
> enumerable __proto__ property, it could extend the native Object.prototype.
> The bundled version of jQuery used by the Django admin has been patched to
> allow for the select2 library’s use of jQuery.extend().
> For more details, see the release notes:
> https://docs.djangoproject.com/en/dev/releases/2.1.9/
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list